Repeatable reverse engineering with PANDA

Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, Ryan Whelan

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.

    Original languageEnglish (US)
    Title of host publicationProceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015
    PublisherAssociation for Computing Machinery
    Volume08-December-2015
    ISBN (Electronic)9781450336420
    DOIs
    StatePublished - Dec 8 2015
    Event5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Los Angeles, United States
    Duration: Dec 8 2015 → …

    Other

    Other5th Program Protection and Reverse Engineering Workshop, PPREW 2015
    CountryUnited States
    CityLos Angeles
    Period12/8/15 → …

    Fingerprint

    Reverse engineering
    Program processors
    Systems engineering
    Dynamic analysis
    Internet
    Experiments

    Keywords

    • Instrumentation
    • Introspection
    • Record/replay

    ASJC Scopus subject areas

    • Human-Computer Interaction
    • Computer Networks and Communications
    • Computer Vision and Pattern Recognition
    • Software

    Cite this

    Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., & Whelan, R. (2015). Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015 (Vol. 08-December-2015). [2843867] Association for Computing Machinery. https://doi.org/10.1145/2843859.2843867

    Repeatable reverse engineering with PANDA. / Dolan-Gavitt, Brendan; Hodosh, Josh; Hulin, Patrick; Leek, Tim; Whelan, Ryan.

    Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Vol. 08-December-2015 Association for Computing Machinery, 2015. 2843867.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Dolan-Gavitt, B, Hodosh, J, Hulin, P, Leek, T & Whelan, R 2015, Repeatable reverse engineering with PANDA. in Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. vol. 08-December-2015, 2843867, Association for Computing Machinery, 5th Program Protection and Reverse Engineering Workshop, PPREW 2015, Los Angeles, United States, 12/8/15. https://doi.org/10.1145/2843859.2843867
    Dolan-Gavitt B, Hodosh J, Hulin P, Leek T, Whelan R. Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Vol. 08-December-2015. Association for Computing Machinery. 2015. 2843867 https://doi.org/10.1145/2843859.2843867
    Dolan-Gavitt, Brendan ; Hodosh, Josh ; Hulin, Patrick ; Leek, Tim ; Whelan, Ryan. / Repeatable reverse engineering with PANDA. Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Vol. 08-December-2015 Association for Computing Machinery, 2015.
    @inproceedings{eb2719ffb16c4886b3b6f5f4f973ae74,
    title = "Repeatable reverse engineering with PANDA",
    abstract = "We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.",
    keywords = "Instrumentation, Introspection, Record/replay",
    author = "Brendan Dolan-Gavitt and Josh Hodosh and Patrick Hulin and Tim Leek and Ryan Whelan",
    year = "2015",
    month = "12",
    day = "8",
    doi = "10.1145/2843859.2843867",
    language = "English (US)",
    volume = "08-December-2015",
    booktitle = "Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015",
    publisher = "Association for Computing Machinery",

    }

    TY - GEN

    T1 - Repeatable reverse engineering with PANDA

    AU - Dolan-Gavitt, Brendan

    AU - Hodosh, Josh

    AU - Hulin, Patrick

    AU - Leek, Tim

    AU - Whelan, Ryan

    PY - 2015/12/8

    Y1 - 2015/12/8

    N2 - We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.

    AB - We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.

    KW - Instrumentation

    KW - Introspection

    KW - Record/replay

    UR - http://www.scopus.com/inward/record.url?scp=85007595775&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85007595775&partnerID=8YFLogxK

    U2 - 10.1145/2843859.2843867

    DO - 10.1145/2843859.2843867

    M3 - Conference contribution

    VL - 08-December-2015

    BT - Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015

    PB - Association for Computing Machinery

    ER -